CVE-2026-33013
Denial of Service in Micronaut Form-Urlencoded Body Binding
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| objectcomputing | micronaut | to 3.10.5 (exc) |
| objectcomputing | micronaut | From 4.0.0 (inc) to 4.10.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the Micronaut framework to a fixed version. The vulnerability has been patched in Micronaut Core versions 4.10.16 and 3.10.5.
No known workarounds exist other than upgrading to these fixed versions to prevent exploitation of this denial of service vulnerability.
Can you explain this vulnerability to me?
CVE-2026-33013 is a high-severity denial of service (DoS) vulnerability in the Micronaut Framework, which is a JVM-based Java framework. The issue occurs in the form-urlencoded body binding process, specifically in the JsonBeanPropertyBinder::expandArrayToThreshold method. The vulnerability arises because the method does not correctly handle descending array index orders when processing form parameters.
When a crafted HTTP POST request contains indexed form parameters in descending order (for example, authors[1].name followed by authors[0].name), the binder enters a non-terminating loop. This causes excessive CPU usage, memory exhaustion, and eventually an OutOfMemoryError, leading to a denial of service condition.
This vulnerability affects Micronaut versions prior to 4.10.16 and 3.10.5 and has been fixed in those versions.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition in applications using vulnerable versions of the Micronaut Framework. An attacker can send specially crafted form-urlencoded HTTP POST requests with descending array indices, triggering a non-terminating loop in the server.
The impact includes sustained high CPU usage, memory exhaustion, and eventually an OutOfMemoryError, which can crash or make the application unresponsive. This disrupts the availability of the affected service, potentially causing downtime or degraded performance.
No confidentiality or integrity impacts are associated with this vulnerability, but the availability impact is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending crafted HTTP POST requests with form-urlencoded parameters that use descending array indices, which trigger the denial of service condition. For example, sending a POST request with parameters such as 'authors[1].name' followed by 'authors[0].name' causes the vulnerable Micronaut application to enter a non-terminating loop, resulting in high CPU and memory usage."}, {'type': 'paragraph', 'content': 'A practical command to test for this vulnerability is using curl to send such a crafted request:'}, {'type': 'list_item', 'content': "curl -v -X POST 'http://127.0.0.1:8080/submit' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'authors[1].name=RobertGalbraith' --data-urlencode 'authors[0].name=JKRowling'"}, {'type': 'paragraph', 'content': 'If the system is vulnerable, this request will cause excessive CPU and memory consumption, potentially leading to an OutOfMemoryError or application unresponsiveness.'}] [1]